Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Many Layers of OAuth

Keith Casey
May 22, 2023
0
97

The Many Layers of OAuth

OAuth is one of the most important but most misunderstood frameworks out there. What you think it is, it probably isn’t. What it actually is, you probably hadn’t considered. Regardless, when you consider the standards, specifications, and common practices interact and fit together, it’s impressive what you can accomplish with minimal effort.

In this session, we’ll explore through the most common RFCs that are combined to make powerful, robust, and secure solutions that drive modern software development.

Keith Casey

May 22, 2023
Tweet

More Decks by Keith Casey

See All by Keith Casey
The Many Layers of OAuth, 2024
caseysoftware
0
2
Lift & Shift, Cut Overs, and other Bad Habits
caseysoftware
0
11
PII is a PITA
caseysoftware
0
14
Webhooks: Lessons (Un)learned
caseysoftware
0
37
So You Want to Build an App
caseysoftware
0
58
API Security: When Failure looks like Success
caseysoftware
0
150
API Design isn't Just Nouns & Verbs
caseysoftware
0
190
The Many Layers of OAuth
caseysoftware
0
190
(Mis)Using APIs for Fun & Profit
caseysoftware
0
160

Featured

See All Featured
The Invisible Side of Design
smashingmag
294
49k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k
Atom: Resistance is Futile
akmur
259
25k
The Mythical Team-Month
searls
216
42k
How to name files
jennybc
65
93k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
Done Done
chrislema
178
15k
Why Our Code Smells
bkeepers
PRO
331
56k
Infographics Made Easy
chrislema
238
18k
Product Roadmaps are Hard
iamctodd
44
9.7k
Embracing the Ebb and Flow
colly
80
4.1k
It's Worth the Effort
3n
180
27k

Transcript

  1. The Many Layers Of OAuth Danger Casey API Problem Solver,

    GTM Guy, General Nuisance [email protected] May 2023

  2. © ngrok. All rights reserved. Confidential Information of ngrok 01

    Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Agenda

  3. 01 Who am I?

  4. © ngrok. All rights reserved. Confidential Information of ngrok Who

    am I?

  5. © ngrok. All rights reserved. Confidential Information of ngrok Who

    am I? https://www.youtube.com/@geekamongthetrees

  6. 02 OAuth Vocab

  7. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok What is OAuth 2.0? It’s unrelated to OAuth 1.0

  8. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok What is OpenID Connect (OIDC)? It’s unrelated to OpenID

  9. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Which is better: OAuth or OpenID Connect? Trick question: OIDC is part of OAuth

  10. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Authentication - vs - Authorization
  11. None

  12. © ngrok. All rights reserved. Confidential Information of ngrok -

    Resource Owner is you - Grant Type (aka Flow) describes the use case - Tokens represents the authorization, user or state - Authorization Server (aka Auth Server) creates the tokens - Scopes are the permissions you request from the Auth Server - Claims are the fields & data returned from the Auth Server - Resource Server is where you use the auth and id tokens Key OAuth Terms

  13. © ngrok. All rights reserved. Confidential Information of ngrok -

    Resource Owner is you - Grant Type how you get the tokens - Tokens are the tokens - Authorization Server creates the tokens - Scopes how you request stuff in the token - Claims the stuff in the token - Resource Server where you use the token Key OAuth Terms (simplified)

  14. © ngrok. All rights reserved. Confidential Information of ngrok Hotel

    Key Cards but for Apps

  15. 03 Grant Types

  16. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)

  17. © ngrok. All rights reserved. Confidential Information of ngrok Authorization

    Code Flow User Auth Client Auth

  18. © ngrok. All rights reserved. Confidential Information of ngrok Implicit

    Flow User Auth No Client Auth!

  19. © ngrok. All rights reserved. Confidential Information of ngrok Resource

    Owner Password Flow User Auth No Client Auth! Wait. What does that mean!? The app has your creds!

  20. © ngrok. All rights reserved. Confidential Information of ngrok Client

    Credential Flow Client Auth No User Auth!?

  21. 04 Which should I use?

  22. © ngrok. All rights reserved. Confidential Information of ngrok Which

    do I use? Wait. Where did that come from?

  23. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Grant Types (aka OAuth flows)

  24. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - Resource Owner Password Flow - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Grant Type - Okta: Interaction Grant Type Grant Types (aka OAuth flows)

  25. © ngrok. All rights reserved. Confidential Information of ngrok Authorization

    Code Flow with PKCE (RFC 7636) User Auth Client Auth

  26. © ngrok. All rights reserved. Confidential Information of ngrok SAML

    2.0 Assertion Flow Client Auth No User Auth!?

  27. © ngrok. All rights reserved. Confidential Information of ngrok Which

    do I use?

  28. © ngrok. All rights reserved. Confidential Information of ngrok -

    Authorization Code Flow - Implicit Flow - deprecated in favor of Auth Code+PKCE - Resource Owner Password Flow - not recommended - Client Credentials Flow Extensions - Authorization Code Flow with PKCE - SAML 2.0 Assertion Flow - Device Flow - Okta: Interaction Grant Type Grant Types (aka OAuth flows)

  29. Specifications 05

  30. © ngrok. All rights reserved. Confidential Information of ngrok OAuth

    (RFC 6749)

  31. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Notice: NOT authentication

  32. © ngrok. All rights reserved. Confidential Information of ngrok What

    about those tokens?

  33. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok JWTs to the Rescue! (JSON Web Tokens)

  34. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Ha. You wish.

  35. © ngrok. All rights reserved. Confidential Information of ngrok JSON

    Web Token (RFC 7519)

  36. © ngrok. All rights reserved. Confidential Information of ngrok JSON

    Web Token (RFC 7519)

  37. © ngrok. All rights reserved. Confidential Information of ngrok JSON

    Web Token (RFC 7519)

  38. © ngrok. All rights reserved. Confidential Information of ngrok JSON

    Web Token (RFC 7519)

  39. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok So then what do we do?

  40. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok OpenID Connect FTW

  41. © ngrok. All rights reserved. Confidential Information of ngrok OpenID

    Connect

  42. © ngrok. All rights reserved. Confidential Information of ngrok OIDC:

    Opinionated Structure • openid • profile • email • address • phone • name • given_name • email • street_address • phone_number And many more..

  43. © ngrok. All rights reserved. Confidential Information of ngrok •

    RFC 6749 OAuth Core • RFC 7519 JSON Web Token • RFC 7662 Token Introspection • RFC 7009 Token Revocation • OpenID Connect Specification • RFC 8414 Authorization Server Metadata Discovery More Pieces!

  44. © ngrok. All rights reserved. Confidential Information of ngrok •

    RFC 6749 OAuth Core • RFC 7519 JSON Web Token • RFC 7662 Token Introspection • RFC 7009 Token Revocation • OpenID Connect Specification • RFC 8414 Authorization Server Metadata Discovery More Pieces! The second most important RFC of all

  45. 06 Closing Thoughts

  46. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok “We support OAuth” is a meaningless statement

  47. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok “We support OpenID Connect” is useful (for SSO)

  48. © ngrok. All rights reserved. Confidential Information of ngrok ©

    ngrok. All rights reserved. Confidential Information of ngrok Figure out which combo of specs you need & they have *RFC 8414 is your best friend

  49. © ngrok. All rights reserved. Confidential Information of ngrok 01

    Intro 02 OAuth Vocabulary 03 The Grant Types 04 Which one when? 05 The fun pain truth lies multitude of specs 06 Closing / Q&A Recap

  50. Thank you

  51. The Many Layers Of OAuth Danger Casey API Problem Solver,

    GTM Guy, General Nuisance [email protected] May 2023